On Thu, Jan 16, 2003 at 03:17:44PM -0800, Josh Brooks wrote:
I am looking for comments and suggestions regarding the merits of purpose-built, appliance style firewalls (like a netscreen or Cisco PIX) vs. running ipfw on a commodity server running FreeBSD.
There is really no benefit to purchasing a vendor-built firewall when the real problem is protecting the servers' tcp/ip stacks and the applications above them, as well as all the infrastruture in between (routers, switches, whatever). Do yourself a favor and spend half as much as you would on firewalls and invest in a packet capture infrastructure to identify exactly what types of attacks you are getting. I believe the beta version of ipfilter allows you to specify bpf logic to block packets. So just configure up each *BSD host with bpf-enabled ipf filters that block the traffic you earlier identified with your packet capture infrastructure (and if you are using libpcap based tools, you are probably already using bpf to match on packets). For legitimate attacks, I suggest buying more bandwidth and scaling your infrastructure appropriately. It also helps to report your findings to others, especially the network and security communities, the places of attack origin (even when spread out), and the transit networks involved in passing along the attacks (especially your upstreams). It's also considered nice to block outgoing packets which match the attacks you've seen, even if you believe your infrastructure to be impenetrable. However, if done right or wrong, any vendor-based or commidity *BSD solution can be less or more powerful than any other solution. dre